Automatic access to network devices using various authentication schemes

ABSTRACT

An access discovery method and system discovers and stores the proper access protocol for each device on a network. The discovery process includes progressively sequencing through state transitions until a successful access protocol sequence is determined, and an access script corresponding to this sequence is stored for subsequent access to the device. Preferably, the protocol-discovery algorithm is modeled as a state table that includes a start state and two possible terminal states: success and failure. A state machine executes the state table until a terminal state is reached; if the terminal state is a failure, the system backtracks to attempt an alternative sequence. The process continues until the success state is reached or until all possible sequences are executed without success. An exemplary state model is provided that has been shown to be effective for modeling network devices from a variety of vendor devices.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.11/503,554, entitled “AUTOMATIC ACCESS TO NETWORK DEVICES USING VARIOUSAUTHENTICATION SCHEMES,” filed Aug. 11, 2006, which claims the benefitof U.S. Provisional Patent Application 60/709,770, filed 19 Aug. 2005,both of which are incorporated by reference in their entirety.

BACKGROUND

This invention relates to the field of network management, and inparticular to a system that facilitates access to network devices usinga variety of authentication/access schemes.

To adequately manage a network, access must often be gained to devicesof the network, to determine and/or modify their configuration, obtaindiagnostic information, monitor their performance, and so on.

In order to gain access to a network device, an authentication processis typically required, which generally includes the execution of apre-defined access protocol. The access protocol is generally specificto each device, or device type, as determined by the vendor, and is alsooften dependent upon the particular configuration of the device, such aswhether it is configured for Telnet, Secure Shell, or SNMP, and so on.

FIGS. 1A and 1B illustrate examples of two differentaccess/authentication protocols for gaining access to two differentnetwork devices (in this example, a JUNIPER device and a CISCO device,respectively) that are configured to provide access via Telnet.

In FIG. 1A, after communication is established, the device provides aninitial prompt (“login:”) 110, to which the user desiring accessresponds with a predefined user name 115. The device responds withanother prompt (“Password:”) 120, to which the user responds with apredefined password 125. If the login name and password are recognizedby the device as being authorized to grant access, the device respondswith an identification stream 130, and terminates the stream 130 with aprompt symbol (“>”) 140, to which the user can respond with a specificquery or command. If the login name and password are not recognized, thedevice generally responds with an error message and reissues the loginprompt (“login:”).

In FIG. 1B, a different protocol is used; in this protocol, the deviceprovides an initial prompt (“Password:”) 160, to which the user respondswith a predefined password 165. If the device recognizes the password,the device issues a subsequent prompt (“>”) 170. In this particularexample device, there are two levels of user access, commonly termed‘user’ and ‘super-user’ access levels. To request super-user access, theuser responds with “enable” 175, to which the device responds with asecond password prompt 180. If the user provides a recognized super-userpassword 185, the device grants this higher level access, and indicatesthe different access level with a different prompt symbol (“#”) 190.

Often, the management of a network requires modification to many networkdevices. For example, to enhance security, the authentication parameters(username, password, community string) of some or all of the networkdevices may be changed periodically. Applying changes to many devicesmanually can be very tedious and error prone, and an automation of theprocess would reduce the tedium and errors. Other tasks, such as systemdiagnosis tasks that require knowledge of device configurations, wouldalso benefit from automation tools that automatically collect suchconfiguration information. However, to use such automation processes,access must be provided to each device being modified or monitored, andthe disparate access protocols among device types introduces asubstantial hurdle to such tasks.

It is an objective of this invention to provide a method and system tofacilitate gaining access to a variety of different network devices. Itis a further objective of this invention to provide a method and systemto facilitate the creation of authentication/access protocol scripts fora variety of different network devices. It is a further objective ofthis invention to facilitate the creation of authentication/accessprotocol scripts to support future devices or standards.

These objects, and others, are achieved by a method and system thatdiscovers and stores the proper access protocol for each device on anetwork. The discovery process includes progressively sequencing throughstate transitions until a successful access protocol sequence for adevice is determined. When a successful access sequence is determined, asequence script corresponding to this sequence is stored for subsequentaccess to the device. Preferably, the protocol-discovery algorithm ismodeled as a state table that includes a start state and two possibleterminal states: success and failure. A state machine executes the statetable until a terminal state is reached; if the terminal state is afailure, the system backtracks to attempt an alternative sequence. Theprocess continues until the success state is reached or until allpossible sequences are executed without success. An exemplary statemodel is provided that has been shown to be effective for modelingnetwork devices from a variety of vendor devices, as are techniques forgenerating protocol scripts based on this model, or others.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention is explained in further detail, and by way of example,with reference to the accompanying drawings wherein:

FIGS. 1A and 1B illustrate example access protocol sequences for twodifferent network devices;

FIG. 2 illustrates an example block/flow diagram for securing access toa typical network device;

FIGS. 3A and 3B illustrate example state diagrams corresponding to theaccess protocol sequences of FIGS. 1A and 1B;

FIG. 4A illustrates an example model of a generic state diagram that canbe used to represent a variety of access protocol sequences inaccordance with this invention, and FIG. 4B illustrates an example flowdiagram of the process within each state;

FIG. 5 illustrates an extract of an example XML file that serves todescribe an example universal access protocol model;

FIG. 6 illustrates an example block diagram of a network device accesssystem in accordance with this invention; and

FIG. 7 illustrates an example access protocol script created inaccordance with this invention.

Throughout the drawings, the same reference numerals indicate similar orcorresponding features or functions. The drawings are included forillustrative purposes and are not intended to limit the scope of theinvention.

DETAILED DESCRIPTION

In the following description, for purposes of explanation rather thanlimitation, specific details are set forth such as the particulararchitecture, interfaces, techniques, etc., in order to provide athorough understanding of the concepts of the invention. However, itwill be apparent to those skilled in the art that the present inventionmay be practiced in other embodiments, which depart from these specificdetails. In like manner, the text of this description is directed to theexample embodiments as illustrated in the Figures, and is not intendedto limit the claimed invention beyond the limits expressly included inthe claims. For purposes of simplicity and clarity, detaileddescriptions of well-known devices, circuits, and methods are omitted soas not to obscure the description of the present invention withunnecessary detail.

FIG. 2 illustrates a typical authentication sequence between a networkadministrator's terminal 210, hereinafter the accessing system, and anetwork device 220. As noted above, this invention addresses the processof gaining access, typically privileged access, to devices on a networkupon successful completion of an authentication process. Theauthentication process includes verifying the identity and legitimacy ofa person or a process attempting to gain access to a network device, andincludes the following processes:

-   -   Determine (211) whether the network device is accessible.    -   Identify (212) the authentication scheme to use to communicate        with the network device, the most common being telnet, secure        shell and SNMP.    -   Identify (213) the accessing entity to the network device,        typically using a login and a password.    -   Acknowledging (214) authentication, typically by a change of        prompting signals from the network device.

Before gaining control of a network device, the system determineswhether the network device is accessible 211. There are many ways todetermine if the network device is accessible, such as sending ICMP echomessages to the network device. In a preferred embodiment of thisinvention, a sequence of different techniques are attempted until aresponse is received, including ICMP echo, SNMP, and pinging forwell-known ports. Examples of some of the well known ports include: port7 assigned to echo port; port 23 used by telnet protocol; port 22 usedby secure shell (ssh) protocol; and port 80 used by http protocol forweb access.

After determining that the network device is accessible, the systemdetermines the authentication scheme that is to be used 212, preferablyincluding telnet, secure shell protocol, and the SNMP protocol. Thesystem determines which of these authentication schemes are supported bythe device and stores this information. If more than one authenticationscheme is available for the network device, user defined priorities areused to select which access scheme to use.

Upon determination and/or selection of an authentication scheme, thesystem provides information to authenticate the system to the device213. As noted above, the authentication protocol information andsequence varies among devices. Some network devices require only apassword to gain control of the network device, whereas other devicesrequire a username and password and, in some cases, an additionalsuper-user or privileged password, to gain control of the networkdevice. Other devices may only require a login name. The set ofauthentication information and the communication sequence/protocol isdependent on the particular device, and typically varies for each vendorand sometimes for each device type with a vendor's product line.

If the system properly identifies itself as being entitled to access tothe network device, both the system and the network device agree uponthe completion of the authentication process 214, and the network deviceprovides control to the system to perform any further network managementtasks. This transfer of control is generally signaled by the use of adifferent prompt symbol by the network device.

If the appropriate prompt is received by the system, the system proceedsto engage in privileged transactions 215, such as receiving or modifyingthe configuration of the device, receiving diagnostic information, andso on. On the other hand, if the authentication fails, the accessingsystem initiates another authentication script and reattempts theauthentication 213.

As discussed above, the system of this invention attempts to gain accessto a network device by executing, or attempting to execute, anauthentication sequence that is appropriate for the given device. Inaccordance with an aspect of this invention, the system is configured toprogressively attempt authentication by dynamically creating possibleprotocol scripts. The term script is used herein to identify the portionof the protocol sequence provided by the accessing system. As also notedabove, the different authentication sequences include differences inboth information content as well as the sequence used to provide theinformation sequence.

The authentication process can be modeled using a state transitionmodel. FIGS. 3A and 3B illustrate, for example, state diagrams for theauthentication sequences illustrated in FIGS. 1A and 1B, respectively.In each diagram, the initial start state is “C”, the connected-to-devicestate, and either of two terminal states, S, the successfulauthentication state, and F, the failed authentication state. Thereference numerals correspond to the reference numerals of FIGS. 1A and1B, except that the initial digits “1” in FIGS. 1A, 1B are replaced by a“3” in FIGS. 3A, 3B.

In FIG. 3A, the receipt of a “login:” prompt 310 causes a transition toa state s1, wherein the system is expected to send something to thedevice in response to this prompt. At s1, the system sends a login name315, and transitions to state s2, to wait for a response from thedevice. If a “password:” prompt 320 is received, the system transitionsto S3, wherein it sends a password 325 and progresses to state S4 toawait a response from the device. The receipt of a “>” prompt 340signals successful completion of the authentication process, and thesystem transitions to the success state S.

If the appropriate “login:” 310, “password:” 320, and “>” 340 promptsare not received in the appropriate sequence of states, this indicatesthat the authentication process using this state diagram does notprovide a successful access and the system enters a failed state F. Thisfailure may be caused by any of a variety of causes, based on theresponses from the device. The device may not send the anticipatedresponse because an unauthorized login name 315 or password 325 had beensent by the system; or, the device may not send the anticipated responsebecause it uses an access protocol that does not correspond to the statediagram of FIG. 3A. That is, for example, the device may be one thatuses an access protocol corresponding to the state diagram of FIG. 3B.

FIG. 3B illustrates a state diagram corresponding to the access protocolsequence of FIG. 1B. As in FIG. 3A, the system receives prompts 360,370, 380, and 390 from the device, and sends responses 365, 375, and 385to the device, in the sequence of states from connect C to either of asuccess S or failure F state. As in FIG. 3A, an unexpected response fromthe device leads to a failed authentication F state, and this failuremay be due to erroneous data being provided to the device, or due tofact that the device's access protocol does not correspond to this statediagram.

In a simple embodiment of this invention, a state diagram correspondingto each known device type can be created, and the system can beconfigured to execute these state diagrams in sequence. Each time afailure state is reached, a next state diagram is initiated until asuccess state is eventually reached, or until all state diagrams havebeen attempted.

In accordance with another aspect of this invention, a ‘universal’ statediagram model is defined, and the system is configured to execute thisstate diagram to discover the access sequence for each device; when theproper access sequence for each device is discovered, the script thateffects this sequence is saved for subsequent access to the device.

In a preferred embodiment, each step in the authentication procedure ismodeled as a State “s” in the model. Each state “s” is associated withan Action “a” to be performed on the network device and a response “r”returned by the network device for the executed action. All the possiblestates constitute the State Set, S={s₁, s₂, . . . , s_(n)}. All thepossible actions constitute the Action Set, A={a₁, a₂, . . . , a_(m)}.There is a one-to-many correspondence between the actions and thestates, i.e., an action can be associated with more than one state. Theset of accepted state transitions is defined as “T={^(w)p_((a,r))→q}, p,q ε S and p≠q, a ε A, r is the response received from the network deviceand w is the weight associated with making the state transition. Thepossible state transitions chosen from a given state is dependent on theresponse received and action performed at that state. Each response canbe associated with multiple state transitions. To accommodate this, eachstate transition “t” is associated with a weight “w”. The weight helpsin determining the choices made with respect to the state transitions ateach state. The lower the weight the higher the priority choosing thatstate transition. The set of possible states and its associated actionsalong with the set of accepted state transitions collectively form thestate machine. A device access script is defined as the set of statetransitions performed to take the process from the Connect state toeither a Success or Failure state.

FIG. 4A illustrates an example universal state diagram model that hasbeen found to be effective for modeling the access protocol for anextensive variety of network devices. Using seven defined states, it hasbeen found that a set of transitions between these states can be foundto model the access protocol for all network devices tested thus far.One of ordinary skill in the art will recognize that if a new state isrequired for modeling the access protocol of a newly released device, orof a new access protocol standard, it can easily be added. One ofordinary skill in the art will also recognize that another universalstate diagram may be developed for use in a script generating system ofthis invention. For example, the state diagrams of FIGS. 3A and 3Bdefines a state uniquely for each reception state, waiting for a promptfrom the device, and each transmission state, generating a response tothe device. As discussed further below, recognizing that the accessprotocols generally include a prompt-response pair, the exemplaryuniversal model uses states that include such pairs. FIG. 4B illustratesthe actions performed within a state, and the transition to subsequentstates, and is discussed further below.

The seven states used in the example universal model of access protocolsare defined below.

Connect State: This is the initial state in the generation of the deviceaccess script. In this state a connection is established with thenetwork device using one of the pre-determined authentication schemes.Once the connection is established, we wait for the initial prompt sentby the network device.

Username State: In this state, the process sends the username to thenetwork device for authentication. Once the username is sent the networkdevice generally prompts for the “Password” associated with theusername.

Password State: In this state, the process sends the password to thenetwork device for authentication. Once the password is authenticatedagainst the network device, the network device generally responds backwith the prompt that signals authenticated access, and gives control tothe user. Although most of the network devices associate a passwordalong with a username, there are many network devices that do not followthis, such as the device of FIG. 1B.

Enable State: In this state, the process sends the command that enablesadvancing to a higher access level of the network device, to request forsuper user privileges to the network device.

Enable Password State or Privileged Password State: In this state, theprocess sends the enable password to the network device. Once thenetwork device authenticates the enable password, it generally grantssuper user privileges to the process.

Failure State: If for any reason, the network device reports errors ordoes not support any of the commands, it informs the process about theerrors. This results in the process unable to complete theauthentication procedure and results in the failure state. This statemay include an action to record the sequence that led to this state, fordiagnostic purposes, as discussed further below.

Success State: This is the final state in the successful generation ofthe device access protocol script. Once the process has reached thisstate, it has found the set of state transitions that will lead to asuccessful authentication procedure. Preferably, this state includes anaction to record an identifier of the device and the sequence that ledto this state, to facilitate creation of an access protocol script forthis device, as discussed further below.

A variety of possible transitions between states are identified in themodel of FIG. 4A, numbered from 0 to 11. Consider, for example, usingthe state diagram model of FIG. 4A, with the internal operation in eachstate conforming to FIG. 4B. As illustrated in FIG. 4B, each state willbe defined to have a set of specified actions 420 to perform in thisstate, and a set of expected responses 440 associated with eachpotential next state 450. Each of the possible transitions identified inFIG. 4A will have one or more defined action-response pairs,T={^(w)p_((a,r))→q}, as discussed above. This example includes onlytwelve transitions, but one of ordinary skill in the art will recognizethat the number of states, and thus the number of possible transitions,is virtually unbounded; in this example of seven states, the number ofpossible transitions to a different state from each state is six, andtherefore the number of total possible transitions is 42 (6*7).

At 410 of FIG. 4B, the system enters the Connect state, wherein, for apossible transition to the Username state identifies an action ofestablishing a telnet authentication scheme, and expect a “login:”response (110 of FIG. 1A). If the target device corresponds to thedevice in the example of FIG. 1A, the response 110 is a “login:” prompt,and therefore the system will identify the “login:” prompt as theexpected prompt 440 for branching to the Username state as a next state450, as indicated by the transition 0 in FIG. 4A. If a different promptis received, a failure 460 is encountered, and the system will proceedto test another transition (1, 2, 3) from the Connect state, using thecorresponding action-expected response pair T={^(w)p_((a,r))→q}. Asnoted above, each transition T includes a weight w, and this weight isused to determine the order used to test each transition.

Continuing the example of a device that uses an access protocol asillustrated in FIG. 1A, the system enters the Username state at 410,wherein the associated action-response pair for transitioning to thePassword state includes the action 420 of sending of the user name, andan expected response of a “password:” prompt (120 in FIG. 1). If thisresponse is received after sending the user name, the system transitionsto the Password state, via the transition 4 of FIG. 4A. Otherwise, at440, the system transitions to the failure state 460, and the nextpossible transition from the Username state is attempted. That is, basedon the response received from the device, the system transitions to theappropriate state based on the match criteria and the associated weight.If the response received matches a condition for transitioning to thenext state, then the system would transitions to that state. However, ifthe response does not match, the system transitions to the FailureState, thereby acknowledging and marking that the sequence of stepstaken thus far will not lead to a successful access protocol.Thereafter, the other possible sequences are attempted, to find asuccessful access protocol, if one exists. As noted above, the weightassociated with the transitions determines the order in which eachtransition is attempted. One of ordinary skill in the art will recognizethat any of a variety of backtracking schemes may be used after reachingthe failure state 460, using, for example, heuristic techniques todetermine which alternative states may provide a greater likelihood ofsuccess.

From the Password state of FIG. 4A, a transition to the success stateincludes an action-response pair wherein the action is the sending of apassword (125 in FIG. 1), and receipt of a authentication prompt “#”140. If the authentication prompt 140 is received, the systemtransitions to the Success state as the next state 450, via transition 8of FIG. 4A, thereby completing a successful access authentication. Thesuccessful transitions, i.e. the states visited along the way to thesuccess state, 0-4-8 define a script that can be stored associated withthe device for which the successful access authentication was achieved,thereby eliminating the need to execute the model of FIG. 4A torediscover this script. That is, the transitions 0-4-8 correspond to ascript of:

-   -   set up telnet authentication, receive “login:” prompt        (transition 0);    -   send user name, receive “password:” prompt (transition 4); and    -   send password name, receive “#” prompt (transition 8).

Note that a device having an access protocol of FIG. 1B would notprovide the same responses, the system would not provide the sameactions, and the set of transitions to achieve a success state willdiffer from the prior example, and therefore a different script will beproduced. For example, gaining access to the device using the accessprotocol of FIG. 1B would progress through transitions 3-7-9-11 in FIG.4A, and a script corresponding to the action-response pairs of thesetransitions would be stored for that device (FIG. 7, discussed below).

In a preferred embodiment, it has been found that the primarydevice-related actions associated with each transition can be modeled asone of the following four actions.

Connect Action: This action is executed only in the Connect State. Aconnection to the network device is activated based on thepre-determined authentication scheme. The network device responds withthe initial prompt, which is stored as the response as part of anaction-response pair that defines a transition from this state.

Disconnect Action: This action is executed upon reaching the SuccessState, or after exhausting all access attempts. Typically, thediscovery, creation, and storage of an access protocol for a networkdevice is conducted as an independent action, and therefore theconnection that was established to the device during this process can bedisconnected once the protocol is successfully discovered, or uponexhausting all possibilities. This action also typically includes thestorage of the access protocol, with appropriate linkage to the networkdevice, if the access was successful, or the storage of diagnosticinformation, if the access was unsuccessful, and other administrativetasks.

Send Action: This is the most common action performed at the variousstates. The action includes sending a response/command to the networkdevice. Once the network device processes the response/command, it isexpected to send its response, typically in the form of a prompt.

No Action: Some states may not require an action to be performed withregard to the network device, such as the failure state.

As noted above, the universal model of FIG. 4A has been found to beeffective for discovering access protocols for a wide variety of networkdevices. However, as new devices are made available, or new standardsare developed for network management, the details of the model maychange, or it may be replaced entirely in an alternative application. Ina preferred embodiment, the model used to discover access protocols isstored in a text file that facilitates such changes. Preferably, thetext is organized in a structured manner, to facilitate diagnosis andmaintenance of the model.

FIG. 5 illustrates an example extract of an XML (Extensible MarkupLanguage) file that facilitates the creation and alteration of auniversal model in accordance with this invention.

In this example embodiment, the actions for each state are storedindependent of the transition conditions of each state, because as notedabove, in the example embodiment, entry into a given state effects theaction, regardless of the subsequent response from the device.Alternative structures to support differentstate-action-response-transition relationships will be evident to one ofordinary skill in the art. The segment 510 illustrates the definition ofthe action to be performed upon entering the USERNAME_STATE 511. Theaction is a SEND_ACTION 512, defined above as the sending of aresponse/command to the network device, which response/command in thisexample is the $USERNAME 513, the “$” indicating an indirect access to alocation that contains the accessing system's user name. Notillustrated, if the user uses different user names for differentdevices, a preprocessor will typically be configured to load theappropriate user name at this defined location at the start of thediscovery process for each target device.

The segments 520 and 530 illustrate example definitions of transitions,corresponding to transitions 4 and 5 in FIG. 4A. At segment 520,identified as StateTransition_4 521, the “from” state for thistransition is identified as USERNAME_STATE 522, corresponding to theUsername state in FIG. 4A, and the “to” state for this transition(corresponding to “Next State” 450 in FIG. 4B) is identified asPASSWORD_STATE 523, corresponding to the Password state in FIG. 4A. Thesame “from” state USERNAME_STATE is identified at 532 in segment 530,StateTransition_5 531, but a different “to” state, ENABLE_STATE 533 isidentified as the next state.

To effect StateTransition_4 521, from the USERNAME_STATE 522 to thePASSWORD_STATE 523, the received response must match the matchconditions 524, corresponding to the “expected?” test 440 of FIG. 4B. Inthis example, a vertical bar “|” is used to indicate alternativematching responses; in this case, either “password:” or “enterpassword:” would be acceptable responses to effect the transition toPASSWORD_STATE 523, corresponding to transition 4 in FIG. 4A. In apreferred embodiment, the match conditions 524 may also include “wildcard” matching, so that an exact match of each character in the responseneed not be required.

If the “password:” or “enter password:” response is not received, thesystem will check for other possible matches, corresponding to othertransitions. At segment 530, “StateTransition_5” 531, the matchcondition for transitioning to the “ENABLE STATE” 533 is given as a “&”534; if a “&” is received from the device while in the “USERNAME STATE”532, the system will transition to the “ENABLE STATE”, corresponding totransition 5 in FIG. 4A.

As noted above, each transition is allocated a weight for determiningthe order in which to attempt each transition. If the match conditionsof each transition are disjoint, such as match conditions 524 and 534,the priority has no effect, because only the transition that includes amatch to the received response will be enabled, regardless of order inwhich the transitions/matchings are attempted. However, if differenttransitions from the same state include one or more common matchconditions, such as match conditions 534 and 544, and the responsecorresponds to a common match condition, such as in the above example ofreceiving a “&” response, the first attempted transition will be thefirst executed transition. In this example, StateTransition_5 531 isgiven a priority of “50” 535, and StateTransition_6 541 is given apriority of “70” 545, and therefore StateTransition_5 will be attemptedfirst. This choice of giving priority to StateTransition_5 531 may bebased on a variety of factors; in this example, entry to the“ENABLE_STATE” is preferable because, as discussed above, the“ENABLE_STATE” allows the system to attempt to gain ‘superuser’ accessto the device. If this attempt to gain ‘superuser’ access fails, thesystem will backtrack and eventually reenter the “USERNAME_STATE”. Uponreentry, the system will have recorded that StateTransition_5 wasunsuccessful, will attempt StateTransistion_6, and, upon receipt of an“&”, will transition to the “SUCCESS_STATE” 543, corresponding totransition 6 in FIG. 4A.

The choice of priorities may also be based on other factors, such asheuristics that indicate likely paths to the success state, such as aheuristic that indicates that most device access protocols call for apassword after providing a username, or, the priority may be based onheuristics specific to the particular network, and so on. For example,most networks include common families of devices, because the samevendor is generally used when networks are initially created. If it isknown or determinable that a particular network primarily containsdevices with a more common protocol, the priority of transitionscorresponding to this protocol may be given a higher priority.Similarly, some transitions may be identified as a ‘last resort’,wherein even though the transition may eventually lead to a successstate, other transitions are always preferred.

One of ordinary skill in the art will recognize that other priorityschemes may be used as well; for example, the order in which the statetransition definitions appear in the model could determine whichtransitions are attempted first, and so on. Similarly, one of ordinaryskill in the art will recognize that the priority parameter need not be‘static’, and heuristics and other learning system techniques can beused to dynamically adjust the priority ordering based on experienceswithin a given network or other factors.

FIG. 6 illustrates an example embodiment of an automated access systemin accordance with this invention.

An accessing system 630 is preferably configured to determine whether adevice access script 650 is available for accessing a target networkdevice 640. If the script is available, it is used to access the device640; otherwise, the accessing system 630 is configured to use an accessprotocol discovery module 620 to discover the access protocol for thetarget device 640.

The access protocol discovery module 620 is configured to use theinformation contained in a universal access protocol model 610 todiscover a viable access protocol sequence for accessing a networkdevice 640 from an accessing system 630, as detailed above. When asuccessful access protocol is found, it is stored as a device accessscript 650 for subsequent access to this device. For example, an accessfile may be maintained that includes the IP address of each device 640in the network, and a pointer to a device access script 650 for thisdevice. Optionally, the device type or device model name may be stored,as well, so that other devices on the network corresponding to this typeor model may also use the same device access script in lieu ofdiscovering the access protocol for each of these devices.

An example device access script 650 is illustrated as a structured textfile in FIG. 7. This model corresponds to the access protocolillustrated in FIG. 1B, corresponding to a discovered 3-7-9-11transition sequence of FIG. 4A. The script is processed sequentially.The system is initialized to the Connect state 710, and awaits a promptfrom the device. If the received prompt matches the expected “password:”or “enter password:” prompt 720, the system proceeds (transition 3 inFIG. 4A) to the Password state 730, wherein it sends the password 731,and awaits one of the expected prompts 732. Implicit in this script, ifthe expected prompt is not encountered, the accessing system 630 in FIG.6 notifies the user of an anomaly, because this script had previouslybeen successful for accessing the device. Barring such anomalies, thesystem progresses to the Enable state (transition 7) 740, to theEnable_Password state (transition 9) 750, and on to a successful access(transition 11).

In a preferred embodiment of this invention, the access protocoldiscovery module 620 is configured to proceed through the various statesof the access protocol model 610 until the success state is reached, oruntil a failure is reached. If a failure occurs, the system backtracksto the last state that has a not-yet-tried transition for the currentsequence. For example, if the system progresses to the Enable state inFIG. 4A, based on a successful transition 0—transition 4—transition 7sequence, and then fails, the system will backtrack to the Passwordstate, and attempt transition 8, in lieu of the prior transition 7. Ifthis is unsuccessful, the system backtracks further, to the Usernamestate, and attempts transition 5, in lieu of the prior transition 4, andso on. Alternatively, if, for example, the network devices require areset to an initial state to restart a sequence, the system may beconfigured to restart from the Connect state whenever the Failure stateis reached, having kept a record of each prior sequence that wasunsuccessful.

Also in a preferred embodiment, the record of one or more of theattempted sequences for a given device is stored (690 in FIG. 6), anddeleted whenever the sequence discoverer 620 finds a successfulsequence. In this manner, the sequences 690 will correspond to attemptsto connect to a currently inaccessible device 640. These sequences 690have been found to be effective for diagnosing an inability to access adevice 640. Generally, the longest sequence associated with anyinaccessible device is typically of particular interest, because longsequences generally terminate at a state close to the Success state. Thedevice response that caused the transition to the Failure state isrecorded with the sequence of transitions, so that the user can identifythe problem, and, if appropriate, modify the protocol model 610 toinclude this last response as an expected response.

The foregoing merely illustrates the principles of the invention. Itwill thus be appreciated that those skilled in the art will be able todevise various arrangements which, although not explicitly described orshown herein, embody the principles of the invention and are thus withinthe spirit and scope of the following claims.

In interpreting these claims, it should be understood that:

-   -   a) the word “comprising” does not exclude the presence of other        elements or acts than those listed in a given claim;    -   b) the word “a” or “an” preceding an element does not exclude        the presence of a plurality of such elements;    -   c) any reference signs in the claims do not limit their scope;    -   d) several “means” may be represented by the same item or        hardware or software implemented structure or function;    -   e) each of the disclosed elements may be comprised of hardware        portions (e.g., including discrete and integrated electronic        circuitry), software portions (e.g., computer programming), and        any combination thereof;    -   f) hardware portions may be comprised of one or both of analog        and digital portions;    -   g) any of the disclosed devices or portions thereof may be        combined together or separated into further portions unless        specifically stated otherwise;    -   h) no specific sequence of acts is intended to be required        unless specifically indicated; and    -   i) the term “plurality of” an element includes two or more of        the claimed element, and does not imply any particular range of        number of elements; that is, a plurality of elements can be as        few as two elements, and can include an immeasurable number of        elements.

1. A method of discovering, by a first device, an authenticationprotocol used by a second device in a network, wherein theauthentication protocol defines a sequence of actions required tosuccessfully authenticate with the second device, said methodcomprising: establishing, by the first device, a connection with thesecond device; accessing, by the first device, a model of a plurality ofauthentication protocols; executing, by the first device, a plurality ofactions based on the model until the first device successfullyauthenticates with the second device; and recording, by the firstdevice, a sequence of the actions that resulted in successfulauthentication with the second device.
 2. The method of claim 1, whereinestablishing the connection with the second device comprises determiningwhether the second device is accessible by the first device.
 3. Themethod of claim 1, wherein the model is comprises a plurality of statesand the model transitions from one state to another state when initiatedby a transition.
 4. The method of claim 3, wherein each authenticationprotocol is defined by a sequence of transitions between select statesin the model.
 5. The method of claim 4, wherein the states of the modelcomprise: a first state that serves as an initial state of the sequence,a second state wherein an identification of a user is communicated tothe second device, a third state wherein a password of the user iscommunicated to the second device, an fourth state wherein a command iscommunicated to the second device, requesting that a higher level ofaccess by enabled, and a fifth state wherein a second password of theuser is communicated to the second device to gain the higher level ofaccess.
 6. The method of claim 5, wherein the states of the modelfurther comprise: a sixth state that identifies a final state of thesequence that defines an authentication protocol, and a seventh statethat identifies a final state of a sequence that does not define anauthentication protocol.
 7. The method of claim 5, wherein the modelincludes a plurality of action-response pairs that define thetransitions between the states.
 8. The method of claim 7, furthercomprising: upon entering at least one state of the plurality of states,executing an action of an action-response pair corresponding to atransition from the state; receiving a device response from the device;and transitioning to a next state based on whether the device responsecorresponds to an expected response of the action-response pair.
 9. Themethod of claim 8, further comprising transitioning to the next statebased on a priority associated with each of the plurality oftransitions, and wherein the expected response corresponds to aplurality of transitions from the state.
 10. The method of claim 5,wherein at least one state includes a plurality of possible transitions,and each transition of the possible transitions includes a parameterthat affects an order in which the possible transitions are selected forconsideration within the state.
 11. The method of claim 10, modifyingthe parameter that affects the order in which the possible transitionsare selected for consideration based on prior access attempts.
 12. Amethod of authenticating with a plurality of devices in a network, saidmethod comprising: establishing respective connections with the devicesin the network; determining, for each device, an access protocol basedon information recorded in an access file, wherein the access file ismaintained by a discovery system that discovered the access protocolused by each device based on a model of a plurality of access protocols;and authenticating with the devices in the network based on the accessprotocol indicated by the information from the access file.
 13. Themethod of claim 12, wherein authenticating with the devices in thenetwork comprises determining an address of at least one of the devicesin the network and determining at least one access protocol from theaccess file based on the address.
 14. The method of claim 12, whereinauthenticating with the devices in the network comprises determining adevice type for at least one of the devices in the network anddetermining at least one access protocol from the access file based onthe device type.
 15. The method of claim 12, wherein authenticating withthe devices in the network comprises determining a model name for atleast one of the devices in the network and determining at least oneaccess protocol from the access file based on the model name.
 16. Adiscovery system configured to discover an authentication protocol usedby devices in a network, said system comprising: an interface, coupledto the network, for establishing a connection with devices in thenetwork; a storage configured to provide a model for a plurality ofauthentication protocols; and a processor, configured by executableprogram code, to execute a plurality of actions based on the model untilthe system successfully authenticates with the devices in the network,and record information indicating which sequences of actions resulted insuccessful authentications.
 17. The discovery system of claim 16,wherein the processor is configured to provide information indicatingauthentication protocols of the devices in the network responsive to arequest by another system.
 18. The discovery system of claim 16, whereinthe processor is configured to record information indicating an addressin the network for the devices and a pointer to each of the sequencesthat resulted in successful authentication.
 19. The discovery system ofclaim 16, wherein the processor is configured to record informationindicating a device type for the devices in the network.
 20. Thediscovery system of claim 16, wherein the processor is configured torecord information indicating a model name for the devices in thenetwork.
 21. The system of claim 16, wherein the model comprises aplurality of states, and each authentication protocol is defined by asequence of transitions between select states.
 22. The system of claim16, wherein the states of the model comprise: a first state that servesas an initial state of the sequence, a second state wherein anidentification of a user is communicated to the second device, a thirdstate wherein a password of the user is communicated to the seconddevice, a fourth state wherein a command is communicated to the seconddevice, requesting that a higher level of access by enabled, and a fifthstate wherein a second password of the user is communicated to thesecond device to gain the higher level of access.
 23. The system ofclaim 22, wherein the states of the model further comprise: a sixthstate that identifies a final state of the sequence that defines anauthentication protocol, and a seventh state that identifies a finalstate of a sequence that does not define an authentication protocol. 24.The system of claim 16, wherein the model includes a plurality ofaction-response pairs that define the transitions between the states.25. The system of claim 16, wherein at least one state includes aplurality of possible transitions, and each transition of the possibletransitions includes a parameter that affects an order in which thepossible transitions are selected for consideration within the state.26. The system of claim 25, wherein the processor is configured tomodify the parameter that affects the order in which the possibletransitions are selected for consideration based on prior accessattempts